:1984:
Google Pixel bug lets you “uncrop” the last four years of screenshots
New tool reveals cropped-out screenshot info isn't deleted, can be recovered.Back in 2018, Pixel phones gained a built-in screenshot editor called "Markup" with the release of Android 9.0 Pie. The tool pops up whenever you take a screenshot, and tapping the app's pen icon gives you access to tools like crop and a few colored drawing pens. That's very handy assuming Google's Markup tool actually does what it says, but a new vulnerability points out the edits made by this tool weren't actually destructive! It's possible to uncrop or unredact Pixel screenshots taken during the past four years.
[...]
the Android 9 release of the Markup tool worked correctly and truncated the overwritten file. Android 10 brought a lot of dramatic "Scoped Storage" changes to how file storage worked in Android, though. It's unclear how or why this happened, but perhaps as part of that huge wave of file-handling commits, one undocumented change made it into the Android Framework file parser: the Framework's "write" mode stopped truncating overwritten files, and the bug in Markup was created. The Markup tool relied on the OS's file handling, and the way it worked changed in a later release, which it looks like nobody noticed.
Love to live in a world dominated by such competent tech overlords
people not understanding what cropping does is the fault of the ui designer and the user.
there are use-cases or workflows where you want to drag the boundary around a little bit before committing to the change and it's annoying to go from not cropped at all to a harsh crop and then have to undo and redo the entire operation instead of sliding back a little bit and un-cropping a little bit.
this also isn't the first time i've heard of digital cropping not quite doing what people think. i'd be surprised if there isn't some history with like chemical photo developing where cropping was done by non-destructively matting the negative and that's why cropping doesn't destroy all the data in photo shop and its derivatives, but physical photography is outside my expertise.
if the ui properly explained the operation then you'd catch these things. like, "I have this giant photo and crop down to 10% of it, why is the file size still the same?"
This happens in my iPhone. I always thought this was a feature lol. If you crop saved photos or new screenshots, you can revert it back to normal.
On iPhone you can choose to share the original file allowing the edits to be undone, or a “flattened” file without that capability.
The problem here is that Google changed an API default that influenced how the final file was written when preparing a “flattened” version of the file, the end result allowing people to restore some of the original data. A detailed writeup is here: https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html
Yeah, this is a feature and intentional, much like cropping via the "Photos" app on Android. But the cropped output file (what you send to others) does not contain the redacted information.
"Markup" was a component that shows the user a thumbnail of the screenshot after taking it, which can be tapped to bring up the editor, or it just brings up the editor after every screenshot and lets the user edit it (behavior might differ by version). Its output files which were shared with others did contain the redacted info.
On iOS it does that by keeping a copy of the original, and making a new file for the edited version
Most phones have a similar functionality, where you take a screenshot and can tap a little thumbnail of it that sits on screen for a second to bring up the editor/sharing options. This bug is specific to the "Markup" tool that Google Pixel phones have though, but it's possible other tools baked into custom Android UIs might suffer from it as well.
I checked the images output by the screenshot editor on my phone, which isn't Markup since it's not a Pixel phone, and the file doesn't contain any of the redacted data.